1. Purpose of this Privacy Policy

Cerbona Élelmiszergyártó és -forgalmazó Korlátolt Felelősségű Társaság (hereinafter: “Cerbona” or “Data Controller”) hereby informs visitors of www.cerbona.huand www.cerbona.com (hereinafter collectively: the “Website”) of the principles and practice of processing of personal data, measures taken for ensuring data security, and the rights of the visitors in connection with this, as well as the options to remedies in accordance with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: “Privacy Act”) and Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: Data Protection Regulation).

The Data Controller respects the rights of the visitor of the Website; personal information is handled in accordance with the provisions of this Privacy Policy, in accordance with data protection laws and international recommendations.

According to the Privacy Act, Section 20, § (1) bekezdése szerint az érintettel (azaz a Honlap látogatójával, tehát a felhasználóval, az állásra jelentkezővel, stb., a továbbiakban együtt: User or Data Subject) shall be informed prior to the processing of the data that the data processing is based on consent or mandatory.

The Data Subject must be clearly and thoroughly informed about all facts in connection with the data processing, especially the purpose and legal basis of the data processing, about the person authorized to perform data processing and handling, and the duration of the data processing. This information shall also cover the rights and remedies concerning the Data Subject.

This Privacy Policy is based on the specifications for content above and applies to the websites www.cerbona.hu and www.cerbona.com.

This Privacy Policy and information on the use of the Website is subject to change without notice in advance from the Data Controller, with the changes in effect from the date of the modification, periodically due to various updates. In view of this, regular visits to the Website are recommended to monitor the changes and whether they are acceptable.

2. Scope of this Privacy Policy

Material scope: The material scope of this Privacy Policy applies to all personal data that come to the notice of the Data Controller during the operation of the Website, the visits to it, and the use of its services.

4. Definitions

This shall mean performing technical tasks in connection with data processing operations, regardless of the method and means used for executing the operations, as well as the place of use, provided that the technical task is performed on the data.

Data processor

This shall mean a natural or legal person, public authority or any other organisation which performs data handling on behalf of the data controller, on the grounds of a contract.

Data processing

This shall mean any operation or the totality of operations performed on personal data or data files, in either an automated or not an automated manner, in particular, collecting, recording, systematizing, classifying, storing, transforming or modifying, querying, viewing, utilizing, transferring, disclosing by dissemination or by other methods, synchronising or connecting, restricting, deleting or destructing the data.

Data controller

This shall mean a natural or legal person, public authority or any other organisation which alone or jointly with others determines the purposes and means of the processing of data.

Data tagging

This shall mean the marking of data by a special ID tag to differentiate it.

Data deletion

Az adatokat tartalmazó adathordozó teljes fizikai megsemmisítése.

Data transfer

This shall mean ensuring access to the data for a third party.

Data deletion

This shall mean making data unrecognisable in a way that it can never again be restored.

Blocking of data

This shall mean marking data with a special ID tag to indefinitely or definitely restrict its further processing.

Any natural or legal person, or organisation without legal personality other than the Data Subject, the Data Controller or the data processor.

Consent

This shall mean any freely and expressly given specific and informed indication of the will of the Data Subject by which he signifies his or her agreement to personal data relating to him or her being processed – fully or to the extent of specific operations.

Special data

This shall mean personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life

This shall mean data relating to the User as a Data Subject (in particular by reference to the name and identification number of the Data Subject or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity) as well as conclusions that may be drawn from the data with regard to the Data Subject.

In the course of data processing, the data in question shall be treated as personal as long as the Data Subject remains identifiable through it.

Any information in connection with a natural person (“Data Subject”) is considered identified or identifiable. The act of identification may not need to be performed, the Data Subject shall already be considered identifiable (“identifiable”) if the Data Controller is in possession of a way to perform identification.

Objection

This shall mean a declaration made by the Data Subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed. For example: objection to the creation of a profile or automated data processing.

5. Legal basis for data processing

Personal data may be typically processed by the Data Controller on the legal basis as follows:

5.1. Consent by the Data Subject

Consent by the Data Subject is an acceptable legal basis for data processing if it’s based on voluntary, express and sufficiently informed consent.

The party concerned may give his or her consent in a statement (e.g. in a contract, in a form, etc) or by means of any act providing an unambiguous expression (but in a verifiable way) of confirming his or her consent to the data processing. In case of doubt, the Data Controller presumes that the party concerned did not provide the consent.

Data processing is necessary for the performance of any contractin which the Data Subject is one of the parties (such as a contract of employment, a contract for supply of goods, etc) or it is necessary for taking steps at the request of the Data Subject prior to the conclusion of the contract (e.g. to provide a quote).

Data processing is necessary to fulfill legal obligations of the Data Controller.

When processing is necessary as decreed by law (e.g. payroll in connection to tax and contribution payments), data processing is mandatory. The Data Subject is informed about this by the Data Controller. If the law is in force and effect, the Data Controller is obliged to act accordingly, without the ability to examine the expediency, professionalism or constitutionality of the law.

Data processing is necessary to enforce the legitimate interests of the Data Controller (e.g. personal and property protection, business secrets).

In the case of data processing of personal data in connection with this legal basis, the Data Controller informs the Data Subject of this legal basis, conducts an interest balancing test, which the Data Controller also informs the Data Subject as well as of his or her rights of objection.

Other legal basis for data processing

If the Data Subject is unable to give his or her consent due to possessing no legal capacity to give consent or for any other reason beyond his or her control, the personal data of the Data Subject may be processed to the extent necessary for the protection of the vital interests of the Data Subject or another person or to prevent or avert a direct threat to the life, physical integrity or possessions of people.

If the personal data was collected with the consent of the Data Subject, the Data Controller may process the recorded data in the absence of any different provision of the law in order to fulfill legal obligations pertaining to the Data Controller or to enforce a legitimate interest of the Data Controller or a third party, provided that the enforcement of this interest is proportional to the restriction of the right to the protection of personal data, where such data processing may be performed without further specific consent as well as after the withdrawal of the consent of the Data Subject.

The Data Controller informs the Data Subject if his or her personal data is processed based on this legal background.

6. The purpose and duration of data processing

The Data Controller processes personal data only for specific purposes (e.g. participation in a recruitment process, conclusion and performance of a contract, invoicing, handling complaints, etc), for the purpose of exercising rights and fulfilling obligations. At all stages of data processing, the data processing is performed in accordance with its purpose.

The Data Controller processes only personal data that is required and suitable for the purpose of the data processing, and only for the duration necessary for this.

In the course of data processing, the data in question shall be treated as personal as long as the Data Subject remains identifiable through it. The data shall be considered identifiable regarding the Data Subject if the data controller is in possession of the technical requirements which are necessary for identification.

The Data Controller ensures data accuracy, completeness and – if necessary for the purposes of data processing – the timeliness of the data as well as arrangements so that the identification of the data subject may only be possible for the duration required for the purpose of data processing.

The Data Controller does not intend to treat personal data of persons under the age of 16 – except in the cases where the Data Controller is required to comply with its statutory obligations. If the Data Controller becomes aware that recording of the personal data of a person under the age of 16 occurred – without the express consent of the legal representative of this person under the age of 16 -, the Data Controller will ensure deletion of such data within the shortest possible time period.

7. Website visit

During the use of the Website, the provider of the hosting service to the Data Controller may access certain information about the User’s Internet usage, which is not processed by the Data Controller; in this respect, the data management policies of the hosting provider concerned are the governing principles.

Adatkezelő tárhely-szolgáltatója:

Name

Headquarters

Data processor task

Tárhelypark Kft.

2724 Újlengyel, Határ út 12.

Hosting service

There are links to webpages located on the Website that may provide useful information to Users. This Privacy Policy does not cover these pages.

8. Management of cookies

In order to facilitate the use of the Website, the Data Controller utilizes an anonymous visitor identification method, so-called cookies. Cookies are small data temporarily downloaded from the browser program to the hard drive of the User’s computer upon visiting the site. Cookies used by the Data Controller are not suitable for identification of the User’s personal data. The User has the option to delete such “cookies” from the Tools/Preferences menu of the browser program, with the relevant menu option usually located under the Privacy menu item.

Cerbona’s website records the country from which the page is viewed so as to load the page in the relevant language but does not process personal information.

9. Job applications

On data collection: At the URL www.cerbona.com/karrier/one may apply for a job at the Data Controller. When applying for a job, the applicant provides information to the Data Controller that is considered to be personal information.

9.2. The processed data are as follows:

Personal data:

name of the applicant,

permanent residential address,

place of residence,

telephone number,

e-mail címe,

birth date and place of birth, as well as

a photo uploaded or sent via other means,

other personal data provided by the applicant in the cover letter, in the CV, in other application forms (hereinafter collectively: Application).

9.2.2. Special Data:

If the job applicant communicates any type of special data in the Application to the Data Controller during the application process for any purpose and reason, (e.g. data relating to his or her health, such as altered working ability), the Data Controller considers this

as express consent for data processing but reserves the right to delete such data without delay.

The Data Controller does not request submission of a good-conduct certificate, and does not process data

in this regard.

9.3. The Data Subjects:

In the case of data processing regarding Applications submitted for a specific job advertisement: all applicants applying for the job posting by Data Controller

In the case of data processing regarding Applications submitted for a specific job advertisement which were not accepted: all applicants applying for the job posting by Data Controller except for the winning applicant

In the case of data processing regarding Applications submitted for a specific job without an advertisement: all applicants applying for the job position not advertised by Data Controller

9.4. Source of data:

The Data Subject himself or herself, the Application submitted by the Data Subject

9.5. The purpose of the data processing:

In the case of data processing regarding Applications submitted for a specific job advertisement:

to ensure the participation of the job applicant in the Data Controller’s workforce selection process, to select suitable prospective employees to fill vacancies for positions advertised, as well as

certain data for the purpose of contact (e.g. name, contact details), other data (e.g. qualifications, work experience) for the selection process, or to determine rights and obligations (e.g. birth time for age-based compensatory leave) are required.

In the case of further data processing regarding Applications submitted for a specific job without an advertisement

– to ensure the participation of the candidate in further workforce selection processes for later vacancies to be filled in at the Data Controller, to reuse the Application submitted for a previous job posting for the purpose of the selection of suitable prospective employees to fill posts, as well as

certain data for the purpose of contact (e.g. name, contact details), other data (e.g. qualifications, work experience) for the selection process, or to determine rights and obligations (e.g. birth time for age-based compensatory leave) are required.

9.5.3. In the case of data processing regarding Applications submitted for a specific job without an advertisement

to ensure the participation of the job applicant in the Data Controller’s workforce selection process, to select suitable prospective employees to fill vacancies, as well as

certain data for the purpose of contact (e.g. name, contact details), other data (e.g. qualifications, work experience) for the selection process, or to determine rights and obligations (e.g. birth time for age-based compensatory leave) are required.

Legal basis for data processing: the voluntary consent of the applicant, also in the case of further data processing regarding Applications submitted for a specific job without an advertisement, the voluntary consent of the applicant for further data processing in the case of the Application not being accepted for the job position

9.7. The duration of data processing:

In the case of data processing regarding Applications submitted for a specific job advertisement: The Data Controller processes the personal information provided for work force selection purposes during the selection process.

In the case of further data processing regarding Applications submitted for a specific job advertisement as well as Applications submitted for a specific job without an advertisement: The Data Controller processes personal data provided for the purpose of the workforce selection process, as well as – with the special authorization of the Data Subject – for recruiting purposes for a period of one year after the conclusion of the selection process.

In the case of a labour dispute (e.g. the Data Subject initiates such a procedure on the basis of a claim of breach of equal treatment), the Data Controller shall store the Application for the required period of time, based on its legitimate interest. In the case of a labour dispute (e.g. the Data Subject initiates such a procedure on the basis of a claim of breach of equal treatment), the Data Controller shall store the Application for the required period of time, based on its legitimate interest.

Persons eligible to access the data: Employees participating in the Data Controller’s workforce selection process. The Data Controller does not provide data to a third party, except for the procedures prescribed by law, if initiated by authorities (e.g. court proceedings, police inquiries, etc).

For information about the rights of Data Subjects involved in dataprocessing, see section 13 of this Privacy Policy.

10. Data processing of complaints

On data collection The consumer may file a complaint to the Data Controller either verbally or in writing about the conduct, activity or omission by the Data Controller directly related to the distribution or sale of the goods to consumers. The verbal complaint must be investigated immediately and remedied as necessary. If the consumer disagrees with the handling of the complaint or the immediate investigation of the complaint is not possible, the Data Controller shall immediately record the complaint and its own position regarding the complaint, as well as issue a copy thereof to the consumer in the case of a verbal complaint presented in person, or deliver it to the consumer in the case of a verbal complaint communicated by telephone or other electronic means, together with the substantive response at the latest, and, in addition, in the case of written complaints, the Data Controller shall provide a substantive response in writing within thirty days after receipt of the written complaint, as well as take measures to communicate it to the consumer. Shorter deadlines may be set by legal regulations, and longer deadlines by legal acts. The Data Controller shall state the reasons for rejecting the complaint. (Consumer protection law, Fgytv. 17/A. § (2), (3), Sect. (6))

10.2. The processed data are as follows:

The name and address

of the Data Subject,

the place, time, manner of presentation of the complaint,

a detailed description of the complaint, an account of documents and other evidence as presented,

– the place and date of the recording of the report,

the unique identification number of the complaint when provided via telephone or other electronic communications services

The Data Subjects: all natural persons filing the complaint

Source of data: The Data Subject himself or herself, the complaint submitted by the Data Subject

The purpose of the data processing: Ensuring the communication, investigation of the complaint, providing a substantive response, as well as contact.

The duration of data processing: The data controller shall keep the records of the complaint and the copy of the substantive response for a period of five years and present it to the inspection authorities upon request. (Consumer protection law, Fgytv. 17/A. § Sect. (7))

Persons eligible to access the data: Employees participating in the data complaint handling process. The Data Controller does not provide data to a third party, except for the procedures prescribed by law, if initiated by authorities (e.g. court proceedings, police inquiries, etc).

For information about the rights of Data Subjects involved in data processing, see section 13 of this Privacy Policy.

11. Customer relations and other data processing

If the Data Subject may have a question about the use of the Data Processing services, or if the Data Subject may have an issue, he or she may contact the Data Controller via the Website or at the contact details provided in this Privacy Statement at Section 3.

The Data Controller will delete all received emails, messages, or information provided by telephone along with the name and email address of the inquiring party, as well as other voluntarily entered personal information, after a maximum of one year from the date of disclosure.

The Data Controller provides information on cases of data processing that are not listed in this Privacy Policy,

at the time of registration of the data.

In the case of a request by authorities or other bodies on the basis of the authorization of the law, the Data Controller is obliged to provide information, to communicate or to transfer data or to make documents available.

In these cases, the Data Controller shall provide the requesting party – provided such party indicates the exact purpose and scope of the data – with personal data only to the extent that it is essential to achieve the purpose of the inquiry.

12. Data security

The Data Controller ensures the security of the data, takes technical and organizational measures and establishes the procedural rules necessary to enforce governing laws, data protection and confidentiality regulations also in respect of data files stored on traditional paper-based media.

The Data Controller protects the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as inadvertent destruction and damage as well as against the data becoming unavailable due of changes in the utilized technology.

The Data Controller is continually aware of the state of the art of technology when defining and applying data security measures. The Data Controller chooses from several possible data processing solutions the one that provides a higher level of protection of personal data unless it poses disproportionate difficulties in implementation.

In order to prevent unauthorized access to personal data, alteration of the data or disclosure or utilization of such data, the Data Controller shall ensure:

the setup and operation of the right IT and technical environment, where the Data Controller’s IT system protects against computer viruses, spam, dangerous websites and other attacks.

– the controlled selection and supervision of employees for providing the service,

the publication of detailed operating, risk management and service procedures.

The Data Controller handles electronic and paper-based records on the basis of universally applied principles, taking into account the varying features of the different media utilized for record-keeping.

By proper implementation of a record-keeping system, a system of access rights and other organizational measures the Data Controller ensures that the personal data being processed shall only be accessed by employees and other persons acting on behalf the Data Controller who are required to view such data in order to perform their duties.

The practice of the management of data files, the safe storage of them, the access rights, the utilization of the data and the documentation is strictly in accordance with the regulations and instructions in effect in the organization of the Data Controller.

With the practice of technical and organizational measures, the Data Controller shall ensure in particular:

minimization of the processing of personal data, limiting the processing of personal data and the duration of data processing to satisfy essential needs only,

the transparency of the functions and processing of personal data (e.g. data management records)

the Data Subject may track the processing of their personal data.

The Data Controller ensures that the processed data

be made available to the Data Subject,

its authenticity and certification are ensured,

its uniformity is verifiable.

13. The rights of the Data Subject in relation to the data processing

13.1. Right to information

The Data Controller informs the Data Subjects about the details of the data processing before commencement of processing. The obligation of the Data Controller regarding providing of such information exists without any specific request communicated by the Data Subject. Information may also be provided by the Data Controller by the publication of information about the details of data processing and informs the Data Subject of the publication.

The Data Subject may request information from the Data Controller in writing by means of the contact details provided in Section 3 of this Privacy Policy, regarding the following:

what personal information are processed,

on what legal basis,

for what data processing purposes,

for what duration,

whether data transmission takes place, or whether a data processor is utilized, or

who is provided access to the personal data by the Data Controller,

what rights apply to the Data Subject,

as well as information on the fact of automated decision-making,

and whether the submission of such personal information is mandatory,

and, in addition, the legal consequences of lack of consent,

– also, if the personal data was not collected directly from the data subject by the Data Controller, information on the actual source and whether it is publicly available.

The Data Controller shall fulfill the request for information by the Data Subject in writing within a maximum of 30 calendar days upon receipt of the request, by delivering the response to the address specified by the Data Subject.

If necessary, this deadline may be extended by another 60 days, taking into account the complexity of the request and the overall number of requests. Information is provided free of charge if the applicant for information has not yet submitted an information request for the same topic in the current year. In other cases, reimbursement may be required. Reimbursement already paid should be refunded if the data was unlawfully handled or the request for information resulted in a correction.

The Data Controller shall only deny information from the data subject if permitted by law. The Data Controller shall inform the Data Subject of the reasons for refusal of providing of information. In this case, the Data Controller informs the Data Subject of any legal opportunities to appeal.

13.2. Right of access

The Data Subject has the right to receive feedback from the Data Controller about whether his or her personal information is currently being processed and, if such processing is in progress, he or she has the right to gain access to his or her personal information and the following information:

– the purposes of data processing;

the categories of personal data concerned;

– the categories of recipients with whom or with which personal data have been communicated or will be communicated to,

the intended duration for the storage of personal data or, where this is not

possible, the criteria for determining such a time period;

the right of the Data Subject to request the Data Controller to rectify, delete personal data concerning him or her or restrict the processing of such personal data and, in addition, the Data Subject may object to the processing of such personal data;

the right to lodge a complaint addressed to a supervisory authority;

– if the Data Controller did not collect the data from the Data Subject, all available information about their source.

There is no automated decision-making or creation of a data profile, and no data is transmitted to a third country or international organization.

The Data Controller shall provide the Data Subject with a copy of the personal data subject to the data processing. For additional copies requested by the Data Subject, the Data Controller charges 5 Forint + VAT for each A4 page. If the Data Subject submitted the request electronically, the information will be provided by the Data Controller in a widely used electronic format, unless otherwise requested by the Data Subject.

The Data Controller shall fulfill the request for information by the Data Subject in writing within a maximum of 30 calendar days upon receipt of the request, by delivering the response to the address specified by the Data Subject.

If necessary, this deadline may be extended by another 60 days, taking into account the complexity of the request and the overall number of requests.

13.3. Right to data portability

In the case of data processing based on the consent by Data Subject or on the basis of the performance of a contract, the Data Subject shall be entitled to receive his or her personal data provided to the Data Controller in a widely used, well-formatted and machine-readable format and to transfer this data to another Data Controller in which the Data Subject is not hindered by the Data Controller.

The Data Subject may also request the Data Controller to pass personal data directly to another Data Controller.

The Data Controller fulfills the request of the Data Subject within a maximum of 30 calendar days upon receipt of the request. If necessary, this deadline may be extended by another 60 days, taking into account the complexity of the request the overall number of requests.

13.4. Right to rectification

The Data Subject may contact the Data Controller in writing to request the

Data Controller to modify his or her personal data via the contact details specified in Section 3 of this Privacy Policy.

The Data Controller shall comply with the request of the Data Subject within a maximum of 30 calendar days upon

receipt of the request.

In the event that data is being provided regularly on the basis of the data that is to be corrected, the Data Controller informs the recipient of the data supply of the correction, provided this is necessary, and calls the attention of the Data Subject to the necessity of initiating this correction with any other Data Controller as well.

13.5. Right to deletion

The Data Subject may request in writing to have his or her personal data to be deleted or erased (deletion at any possible access point regarding the data), by submitting this request via the contact details specified in Section 3 of this Privacy Policy – with the exception of data processing that is based on the legitimate interest of the Data Controller, or required by a legal regulation without explicit consent.

The Data Controller shall fulfill the request within a maximum of 30 calendar days upon receipt – provided that the conditions for it are met (the Data Subject entitled to this right filed the request, the request is legitimate and there is no other legal basis for data processing under which the Data Controller may or shall deny the request). The Data Controller informs the Data Subject of the fact of the deletion or of the reason for refusal to comply with the deletion request.

The Data Controller will ensure the personal data is deleted by all those who have gained access to this personal data through the Data Controller.

If consent-based data processing is a prerequisite for the establishment and maintenance of an employment relationship, the Data Controller informs the data subject of this and the expected consequences.

13.6. Right to objection

The Data Subject may object in writing – but may not need to justify the objection – via

the contact details provided in Section 3 of this Privacy Policy if

the processing or transmission of personal data is only necessary to fulfill the legal obligation of the Data Controller or to enforce the legitimate interest of the Data Controller, a data processor or third party, unless data processing is required by law;

the use or transmission of personal data is done for the purpose of direct acquisition of business, for the purpose of a survey or scientific research or for statistical purposes;

in other cases specified by law.

The Data Controller informs the Data Subject of the right of objection in advance. The Data Controller must investigate the objection and make a decision regarding it within a maximum of 30 calendar days upon receipt of the request and inform the Data Subject in writing. If necessary, this deadline may be extended by another 60 days, taking into account the complexity of the request and the overall number of requests.

If the Data Controller establishes the validity of the objection by the Data Subject, data processing – including further data retrieval and data transmission – will be terminated, the data concerned will be placed under a block, and the Data Controller will notify all persons to whom the personal data had previously been possibly transferred to, of the fact of the objection and the measures taken based on it, and whom are also required to take action to enforce the right to objection.

If the Data Controller has a legitimate interest in the processing of data, the Data Controller may demonstrate that such legitimate interests have priority over the rights and freedoms of the Data Subject, or are related to the submission, validation or protection of such legal claims.

The Data Controller calls the attention of the Data Subjects to the fundamental difference between the right to objection and to deletion: the right of objection has the purpose of preventing the further processing of the personal data being processed for a predetermined purpose, while in case of deletion, the option for processing personal data for any purpose shall be prohibited and the Data Controller shall no longer store such data either. In some cases, the right to objection also entails an obligation for data deletion (e.g. data processing for the purposes of direct acquisition of business).

13.7. The right to restriction

The Data Subject may contact the Data Controller in writing via the contact details specified in Section 3 of this Privacy Policy to request restriction of the processing of his or her personal data if

the Data Subject disputes the accuracy of the personal data, in this case the restriction concerns the duration that is required for the Data Controller to perform a verification of the personal data;

data processing is illegal while the Data Subject is opposed to the deletion of the data and, instead, requests that they be restricted

the Data Controller no longer needs personal data for data processing but the Data Subject requires access to them to submit, enforce, or protect legal claims; or

the Data Subject objected to data handling; in this case, the restriction applies to the duration required for the Data Controller to determine whether the Data Controller’s legitimate interests prevail over the legitimate grounds of the Data Subject.

The personal data affected by the restriction shall only be stored by the Data Controller, other data processing may be performed solely with the consent of the Data Subject, for the purposes of submitting, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the public interest.

The Data Controller informs everyone whom the data affected by the restriction had been communicated to previously, of the fact of the restriction of the personal data.

The Data Controller shall fulfill the request for information by the Data Subject in writing within a maximum of 30 calendar days upon receipt of the request, by delivering the response to the address specified by the Data Subject.

If necessary, this deadline may be extended by another 60 days, taking into account the complexity of the request and the overall number of requests.

14. The rights of the Data Subject to remedies

14.1. Internal route

In the event of a violation of the law, the Data Subject may request a review of the senior manager of the person acting on behalf of the Data Controller or contact the Data Protection Officer appointed by the Data Controller.

14.2. Judicial route

The Data Subject, upon violation of his or her rights, may seek judicial remedy to enforce his rights under applicable law.

14.3. Authoritative route

The Data Subject, upon violation of his or her rights, may additionally lodge a complaint to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C., postal address: 1530 Budapest, Pf. 5.,

telephone: +36 -1-391-1400, fax: +36-1-391-1410, e-mail: ugyfelszolgalat@naih.hu) and may request a review by the Authority.

14.4. Claim for compensation

The Data Controller shall be obliged to reimburse any damage caused by the unlawful processing of the data of the Data Subject or damage caused by the breach of the requirements of data security. In addition, the Data Controller is liable to Data Subject for any damage caused by the data processor. The Data Controller is exempt from liability upon proving that the damage was caused by an unavertable cause outside the scope of data processing. No compensation is required for the damage if it was caused by the intentional or gross negligence of the injured party. The provisions of Hungarian civil law (Ptk.) are applicable for the general and civil liability of the Data Controller.

The Data Controller provides detailed information on options for legal steps at the request of the Data Subject.

15. Relevant legislation

Act CXII of 2011 on Informational Self-Determination and Freedom of Information Regulation (EU) 2016/679 of the European Parliament and of the Council